This is the accessible text file for GAO report number GAO-04-504T
entitled 'Aviation Security: Challenges Delay Implementation of
Computer-Assisted Passenger Prescreening System' which was released on
March 17, 2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Aviation, Committee on Transportation and
Infrastructure, House of Representatives:
United States General Accounting Office:
GAO:
For Release on Delivery Expected at 10:00 a.m. EST:
Wednesday, March 17, 2004:
AVIATION SECURITY:
Challenges Delay Implementation of Computer-Assisted Passenger
Prescreening System:
Statement of Norman J. Rabkin, Managing Director, Homeland Security and
Justice Issues and David A. Powner, Director, Information Technology
Issues:
GAO-04-504T:
GAO Highlights:
Highlights of GAO-04-504T, a testimony before the Subcommittee on
Aviation, Committee on Transportation and Infrastructure, House of
Representatives:
Why GAO Did This Study:
The security of U.S. commercial aviation is a long-standing concern,
and substantial efforts have been undertaken to strengthen it. One such
effort is the development of a new Computer-Assisted Passenger
Prescreening System (CAPPS II) to identify passengers requiring
additional security attention. The development of CAPPS II has raised a
number of issues, including whether individuals may be inappropriately
targeted for additional screening and whether data accessed by the
system may compromise passengers' privacy. GAO was asked to summarize
the results of its previous report that looked at (1) the development
status and plans for CAPPS II; (2) the status of CAPPS II in addressing
key developmental, operational, and public acceptance issues; and (3)
additional challenges that could impede the successful implementation
of the system.
What GAO Found:
Key activities in the development of CAPPS II have been delayed, and
the Transportation Security Administration (TSA) has not yet completed
important system planning activities. TSA is currently behind schedule
in testing and developing initial increments of CAPPS II, due in large
part to delays in obtaining needed passenger data for testing from air
carriers because of privacy concerns. TSA also has not established a
complete plan identifying specific system functionality that will be
delivered, the schedule for delivery, and estimated costs. The
establishment of such plans is critical to maintaining project focus
and achieving intended results within budget. Without such plans, TSA
is at an increased risk of CAPPS II not providing the promised
functionality, of its deployment being delayed, and of incurring
increased costs throughout the system's development.
TSA also has not completely addressed seven of the eight issues
identified by the Congress as key areas of interest related to the
development, operation, and public acceptance of CAPPS II. Although TSA
is in various stages of progress on addressing each of these eight
issues, as of January 1, 2004, only one--the establishment of an
internal oversight board to review the development of CAPPS II--has
been completely addressed. However, concerns exist regarding the
timeliness of the board's future reviews. Other issues, including
ensuring the accuracy of data used by CAPPS II, stress testing,
preventing unauthorized access to the system, and resolving privacy
concerns have not been completely addressed, due in part to the early
stage of the system's development. See table below for a summary of
TSA's status in addressing the eight key legislative issues.
GAO identified three additional challenges TSA faces that may impede
the success of CAPPS II. These challenges are developing the
international cooperation needed to obtain passenger data, managing the
possible expansion of the program's mission beyond its original
purpose, and ensuring that identity theft--in which an individual poses
as and uses information of another individual--cannot be used to negate
the security benefits of the system. GAO believes that these issues, if
not resolved, pose major risks to the successful deployment and
implementation of CAPPS II.
What GAO Recommends:
In a recent report (GAO-04-385), GAO recommended that the Secretary of
the Department of Homeland Security (DHS) develop project plans,
including schedules and estimated costs; a plan for completing critical
security activities; a risk mitigation strategy for system testing;
policies governing program oversight; and a process by which passengers
can correct erroneous information. DHS generally concurred with the
report and its recommendations.
For more information, contact Norman J. Rabkin at (202) 512-8777 or
rabkinn@gao.gov or David Powner at (202) 512-9286 or pownerd@gao.gov.
[End of section]
Mr. Chairman and Members of the Subcommittee:
The security of our nation's commercial aviation system has been a
long-standing concern. For over 30 years, numerous efforts have been
undertaken to improve aviation security, but weaknesses persist.
Following the tragic events of September 11, 2001, substantial changes
were made to strengthen aviation security and reduce opportunities for
terrorists to hijack or destroy commercial aircraft. However, as recent
flight cancellations over the last 3 months have shown, the threat of
terrorist attempts to use commercial aircraft to inflict casualties and
damage remains. With thousands of daily flights carrying millions of
passengers, ensuring that no passenger poses a threat to commercial
aviation remains a daunting task.
My testimony today focuses on the development of and challenges facing
one particular effort underway to strengthen aviation security--the new
Computer-Assisted Passenger Prescreening System (CAPPS II). More
specifically, my testimony highlights three key areas: (1) the
development status and plans for CAPPS II, (2) the status of CAPPS II
in addressing eight program issues of particular concern to the
Congress, and (3) additional challenges that pose major risks to the
development and implementation of the system. My testimony is based on
our recently issued report[Footnote 1] and, because the development of
CAPPS II is ongoing, updated information we have acquired since our
report's issuance.
In summary, we found that:
* Key activities in the development of CAPPS II have been delayed, and
the Department of Homeland Security's (DHS) Transportation Security
Administration (TSA)--the agency responsible for developing CAPPS II--
has not yet completed important system planning activities. TSA is
currently behind schedule in testing and developing the initial phases-
-called increments--of CAPPS II due in large part to delays in
obtaining needed passenger data for testing from air carriers because
of privacy concerns. Furthermore, the system's initial operating
capability--the point at which the system will be ready to operate with
data from one airline--has been postponed and a new date has not been
determined. TSA also has not yet established a complete plan that
identifies specific system functions that it will deliver, the schedule
for delivery, and the estimated costs throughout the system's
development. Establishing such plans is critical to maintaining project
focus and achieving intended system results. Project officials reported
that they have developed cost and schedule plans for initial
increments, but are unable to plan for future increments with any
certainty due to testing delays.
* TSA has not fully addressed seven of eight CAPPS II issues identified
by the Congress as key areas of interest, due in part to the early
stage of the system's development. The one issue that has been
addressed involves the establishment of an internal oversight board to
review the development of major systems, including CAPPS II. DHS and
TSA are taking steps to address the remaining seven issues; however,
they have not yet:
* determined and verified the accuracy of the databases to be used by
CAPPS II,
* stress tested and demonstrated the accuracy and effectiveness of all
search tools to be used by CAPPS II,
* developed sufficient operational safeguards to reduce the
opportunities for abuse,
* established substantial security measures to protect CAPPS II from
unauthorized access by hackers and other intruders,
* adopted policies to establish effective oversight of the use and
operation of the system,
* identified and addressed all privacy concerns, and:
* developed and documented a process under which passengers impacted by
CAPPS II can appeal decisions and correct erroneous information.
* In addition to facing developmental and operational challenges
related to the key areas of interest of the Congress, CAPPS II also
faces a number of additional challenges that may impede its success.
These challenges are developing the international cooperation needed to
obtain passenger data, managing the expansion of the program's mission
beyond its original purpose, and ensuring that identity theft--in which
an individual poses as and uses information of another individual--
cannot be used to negate the security benefits of the system.
Background:
During the late 1960s and early 1970s, the government directed that all
passengers and their carry-on baggage be screened for dangerous items
before boarding a flight. As the volume of passengers requiring
screening increased and an awareness of terrorists' threats against the
United States developed, a computerized system was implemented in 1998
to help identify passengers posing the greatest risk to a flight so
that they could receive additional security attention. This system,
known as CAPPS,[Footnote 2] is operated by air carriers in conjunction
with their reservation systems. CAPPS enables air carriers to separate
passengers into two categories: those who require additional security
screening--termed "selectees"--and those who do not. Certain
information contained in the passenger's reservation is used by the
system to perform an analysis against established rules and a
government supplied "watch list" that contains the names of known or
suspected terrorists. If the person is deemed to be a "selectee," the
boarding pass is encoded to indicate that additional security measures
are required at the screening checkpoint. This system is currently used
by most U.S. air carriers to prescreen passengers and prescreens an
estimated 99 percent of passengers on domestic flights. For those
passengers not prescreened by the system, certain air carriers manually
prescreen their passengers using CAPPS criteria and the watch list.
Following the events of September 11, 2001, Congress passed the
Aviation and Transportation Security Act[Footnote 3] requiring that a
computer-assisted passenger prescreening system be used to evaluate all
passengers, TSA's Office of National Risk Assessment has undertaken the
development of a second-generation computer-assisted passenger
prescreening system, known as CAPPS II. Unlike the current system that
is operated by the air carriers, the government will operate CAPPS II.
Further, it will perform different analyses and access more diverse
data, including data from commercial and government databases, to
classify passengers according to their level of risk.
TSA program officials expect that CAPPS II will provide significant
improvements over the existing system. First, they believe a
centralized CAPPS II that will be owned and operated by the federal
government will allow for more effective and efficient use of up-to-
date intelligence information and make CAPPS II more capable of being
modified in response to changing threats. Second, they also believe
that CAPPS II will improve identity authentication and reduce the
number of passengers who are falsely identified as needing additional
security screening. Third, CAPPS II is expected to prescreen all
passengers on flights either originating in or destined for the United
States. Last, an additional expected benefit of the system is its
ability to aggregate risk scores to identify higher-risk flights,
airports, or geographic regions that may warrant additional aviation
security measures.
System Development Behind Schedule and Critical Plans Incomplete:
Key activities in the development of CAPPS II have been delayed, and
TSA has not yet completed key system planning activities. TSA plans to
develop CAPPS II in nine increments, with each increment providing
increased functionality. (See app. I for a description of these
increments.) As each increment is completed, TSA plans to conduct tests
that would ensure the system meets the objectives of that increment
before proceeding to the next increment. The development of CAPPS II
began in March 2003 with increments 1 and 2 being completed in August
and October 2003, respectively. However, TSA has not completely tested
these initial two increments because it was unable to obtain the
necessary passenger data for testing from air carriers. Air carriers
have been reluctant to provide passenger data due to privacy concerns.
Instead, the agency deferred completing these tests until increment 3.
TSA is currently developing increment 3. However, due to the
unavailability of passenger data needed for testing, TSA has delayed
the completion of this increment from October 2003 until at least the
latter part of this month and reduced the functionality that this
increment is expected to achieve. Increment 3 was originally intended
to provide a functioning system that could handle live passenger data
from one air carrier in a test environment to demonstrate that the
system can satisfy operational and functional requirements. However,
TSA officials reported that they recently modified increment 3 to
instead provide a functional application of the system in a simulated
test environment that is not actively connected to an airline
reservation system. Officials also said that they were uncertain when
the testing that was deferred from increments 1 and 2 to increment 3
will be completed. TSA recognizes that system testing is a high-risk
area and plans to further delay the implementation of the system to
ensure that sufficient testing is completed. As a result, all
succeeding increments of CAPPS II have been delayed, moving CAPPS II
initial operating capability--the point at which the system will be
ready to operate with one airline--from November 2003 to a date
unknown. (See app. II for a timeline showing the original and revised
schedule for CAPPS II increments.):
Further, we found that TSA has not yet developed critical elements
associated with sound project planning, including a plan for what
specific functionality will be delivered, by when, and at what cost
throughout the development of the system. Our work on similar systems
and other best practice research have shown that the application of
rigorous practices to the acquisition and development of information
systems improves the likelihood of the systems' success. In other
words, the quality of information technology systems and services is
governed largely by the quality of the processes involved in developing
and acquiring the system. We have reported that the lack of such
practices has contributed to cost, schedule, and performance problems
for major system acquisition efforts.[Footnote 4]
TSA established plans for the initial increments of the system,
including requirements for increments 1 and 2 and costs and schedules
for increments 1 through 4. However, officials lack a comprehensive
plan identifying the specific functions that will be delivered during
the remaining increments; for example, which government and commercial
databases will be incorporated, the date when these functions will be
delivered, and an estimated cost of the functions. In addition, TSA
officials recently reported that the expected functionality to be
achieved during early increments has been reduced, and officials are
uncertain when CAPPS II will achieve initial operating capability.
Project officials also said that because of testing delays, they are
unable to plan for future increments with any certainty.
By not completing these key system development planning activities, TSA
runs the risk that CAPPS II will not provide the full functionality
promised. Further, without a clear link between deliverables, cost, and
schedule, it will be difficult to know what will be delivered and when
in order to track development progress. Until project officials develop
a plan that includes scheduled milestones and cost estimates for key
deliverables, CAPPS II is at increased risk of not providing the
promised functionality, not being fielded when planned, and being
fielded at an increased cost.
Developmental, Operational, and Privacy Issues Identified by the
Congress Remain Unresolved:
In reviewing CAPPS II, we found that TSA has not fully addressed seven
of the eight issues identified by the Congress as key areas of interest
related to the development and implementation of CAPPS II. Public Law
108-90 identified eight key issues[Footnote 5] that TSA must fully
address before the system is deployed or implemented. These eight
issues are:
* establishing an internal oversight board,
* assessing the accuracy of databases,
* testing the system load capacity (stress testing) and demonstrating
its efficacy and accuracy,
* installing operational safeguards to protect the system from abuse,
* installing security measures to protect the system from unauthorized
access,
* establishing effective oversight of the system's use and operations,
* addressing all privacy concerns, and:
* creating a redress process for passengers to correct erroneous
information.
While TSA is in various stages of progress to address each of these
issues, only the establishment of an internal oversight board to review
the development of CAPPS II has been fully addressed. For the remaining
issues, TSA program officials contend that their ongoing efforts will
ultimately address each issue. However, due to system development
delays, uncertainties regarding when passenger data will be obtained to
test the system, and the need to finalize key policy decisions,
officials were unable to identify a time frame for when all remaining
issues will be fully addressed.
The following briefly summarizes the status of TSA's efforts to address
each of the eight issues.
* Establishment of a CAPPS II oversight board has occurred.
DHS created an oversight board--the Investment Review Board--to review
the department's largest capital asset programs. The Board reviewed
CAPPS II in October 2003. Based on this review, the Board authorized
TSA to proceed with the system's development. However, DHA noted some
areas that the program needed to address. These areas included
addressing privacy and policy issues, coordinating with other
stakeholders, and identifying program staffing requirements and costs,
among others, and directed that these issues be addressed before the
system proceeds to the next increment.
Although DHS has the Board in place to provide internal oversight and
monitoring for CAPPS II and other large capital investments, we
recently reported that concerns exist regarding the timeliness of its
future reviews. DHS officials acknowledged that the Board is having
difficulty reviewing all of the critical departmental programs in a
timely manner.[Footnote 6] As of January 2004, DHS had identified about
50 of the largest capital assets that would be subject to the Board's
review. As CAPPS II's development proceeds, it will be important for
the Board to oversee the program on a regular and thorough basis to
provide needed oversight.
In addition, on February 12, 2004, DHS announced its intentions to
establish an external review board specifically for CAPPS II. This
review board will be responsible for ensuring that (1) the privacy
notice is being followed, (2) the appeal process is working
effectively, and (3) the passenger information used by CAPPS II is
adequately protected. However, in announcing the establishment of this
review board, DHS did not set a date as to when the board will be
activated or who would serve on the board.
* The accuracy of CAPPS II databases has not yet been determined.
TSA has not yet determined the accuracy--or conversely, the error rate-
-of commercial and government databases that will be used by CAPPS II.
Since consistent and compatible information on database accuracy is not
available, TSA officials said that they will be developing and
conducting their own tests to assess the overall accuracy of
information contained in commercial and government databases. These
tests are not intended to identify all errors existing within a
database, but rather assess the overall accuracy of a database before
determining whether it is acceptable to be used by CAPPS II.
In addition to testing the accuracy of commercial databases, TSA plans
to better ensure the accuracy of information derived from commercial
databases by using multiple databases in a layered approach to
authenticating a passenger's identity. If available information is
insufficient to validate the passenger's identification in the first
database accessed, then CAPPS II will access another commercial
database to provide a second layer of data, and if necessary, still
other commercial databases. However, how to better ensure the accuracy
of government databases will be more challenging. TSA does not know
exactly what type of information the government databases contain, such
as whether a database will contain a person's name and full address, a
partial address, or no address at all. A senior program official said
that using data without assessing accuracy and mitigating data errors
could result in erroneous passenger assessments; consequently
government database accuracy and mitigation measures will have to be
developed and completed before the system is placed in operation.
In mitigating errors in commercial and government databases, TSA plans
to use multiple databases and a process to identify misspellings to
correct errors in commercial databases. TSA is also developing a
redress process whereby passengers can attempt to get erroneous data
corrected. However, it is unclear what access passengers will have to
information found in either government or commercial databases, or who
is ultimately responsible for making corrections. Additionally, if
errors are identified during the redress process, TSA does not have the
authority to correct erroneous data in commercial or government
databases. TSA officials said they plan to address this issue by
establishing protocols with commercial data providers and other federal
agencies to assist in the process of getting erroneous data corrected.
* Stress testing and demonstration of the system's efficacy and
accuracy have been delayed.
TSA has not yet stress tested CAPPS II increments developed to date or
conducted other system-related testing to fully demonstrate the
effectiveness and accuracy of the system's search capabilities, or
search tools, to correctly assess passenger risk levels. TSA initially
planned to conduct stress testing on an early increment of the system
by August 2003. However, stress testing was delayed several times due
to TSA's inability to obtain the 1.5 million Passenger Name Records it
estimates are needed to test the system. TSA attempted to obtain the
data needed for testing from three different sources but encountered
problems due to privacy concerns associated with its access to the
data. For example, one air carrier initially agreed to provide
passenger data for testing purposes, but adverse publicity resulted in
its withdrawal from participation:
Further, as the system is more fully developed, TSA will need to
conduct stress testing. For example, there is a stringent performance
requirement for the system to process 3.5 million risk assessment
transactions per day with a peak load of 300 transactions per second
that cannot be fully tested until the system is further along in
development. Program officials acknowledge that achieving this
performance requirement is a high-risk area and have initiated
discussions to define how this requirement will be achieved. However,
TSA has not yet developed a complete mitigation strategy to address
this risk. Without a strategy for mitigating the risk of not meeting
peak load requirements, the likelihood that the system may not be able
to meet performance requirements increases.
Other system-related testing to fully demonstrate the effectiveness and
accuracy of the system's search tools in assessing passenger risk
levels also has not been conducted. This testing was also planned for
completion by August 2003, but similar to the delays in stress testing,
TSA's lack of access to passenger data prevented the agency from
conducting these tests. In fact, TSA has only used 32 simulated
passenger records--created by TSA from the itineraries of its employees
and contractor staff who volunteered to provide the data--to conduct
this testing. TSA officials said that the limited testing--conducted
during increment 2--has demonstrated the effectiveness of the system's
various search tools. However, tests using these limited records do not
replicate the wide variety of situations they expect to encounter with
actual passenger data when full-scale testing is actually undertaken.
As a result, the full effectiveness and accuracy of the tools have not
been demonstrated.
TSA's attempts to obtain test data are still ongoing, and privacy
issues remain a stumbling block. TSA officials believe they will
continue to have difficulty in obtaining data for both stress and other
testing until TSA issues a Notice of Proposed Rulemaking to require
airlines to provide passenger data to TSA. This action is currently
under consideration within TSA and DHS. In addition, TSA officials said
that before the system is implemented, a final Privacy Act notice will
be published. According to DHS's Chief Privacy Officer, the agency
anticipated that the Privacy Act notice would be finalized in March
2004. However, this official told us that the agency will not publish
the final Privacy Act notice until all 15,000 comments received in
response to the August 2003 Privacy Act notice are reviewed and testing
results are available. DHS could not provide us a date as to when this
will be accomplished. Further, due to the lack of test data, TSA
delayed the stress and system testing planned for increments 1 and 2 to
increment 3, scheduled to be completed by March 31, 2004. However,
since we issued our report last month, a TSA official said that they no
longer expect to conduct this testing during increment 3 and do not
have an estimated date for when these tests will be conducted.
Uncertainties surrounding when stress and system testing will be
conducted could impact TSA's ability to allow sufficient time for
testing, resolving defects, and retesting before CAPPS II can achieve
initial operating capability and may further delay system deployment.
* Security plans that include operational and security safeguards are
not complete.[Footnote 7]
Due to schedule delays and the early stage of CAPPS II development, TSA
has not implemented critical elements of an information system security
program to reduce opportunities for abuse and protect against
unauthorized access by hackers. These elements--a security policy, a
system security plan, a security risk assessment, and the certification
and accreditation of the security of the system--together provide a
strong security framework for protecting information technology data
and assets. While TSA has begun to implement critical elements of an
information security management program for CAPPS II, these elements
have not been completed. Until a specific security policy for CAPPS II
is completed, TSA officials reported that they are using relevant
portions of the agency's information security policy and other
government security directives as the basis for its security policy. As
for the system security plan, it is currently in draft. TSA expects to
complete this plan by the time initial operating capability is
achieved. Regarding the security risk assessment, TSA has postponed
conducting this assessment because of development delays and it has not
been rescheduled. The completion date remains uncertain because TSA
does not have a date for achieving initial operating capability as a
result of other CAPPS II development delays. As for final certification
and accreditation, TSA is unable to schedule the final certification
and accreditation of CAPPS II because of the uncertainty regarding the
system's development schedule.
The establishment of a security policy and the completion of the system
security plan, security risk assessment, and certification and
accreditation process are critical to ensuring the security of CAPPS
II. Until these efforts are completed, there is decreased assurance
that TSA will be able to adequately protect CAPPS II information and an
increased risk of operational abuse and access by unauthorized users.
* Policies for effective oversight of the use and operation of CAPPS II
are not developed.
TSA has not yet fully established controls to oversee the effective use
and operation of CAPPS II. However, TSA plans to provide oversight of
CAPPS II through two methods: (1) establishing goals and measures to
assess the program's strengths, weaknesses, and performance and (2)
establishing mechanisms to monitor and evaluate the use and operation
of the system.
TSA has established preliminary goals and measures to assess the CAPPS
II program's performance in meeting its objectives as required by the
Government Performance and Results Act.[Footnote 8] Specifically, the
agency has established five strategic objectives with preliminary
performance goals and measures for CAPPS II. While this is a good first
step, these measures may not be sufficient to provide the objective
data needed to conduct appropriate oversight. TSA officials said that
they are working with five universities to assess system effectiveness
and management and will develop metrics to be used to measure the
effectiveness of CAPPS II. With this information, officials expect to
review and, as necessary, revise their goals and objectives to provide
management and the Congress with objective information to provide
system oversight.
In addition, TSA has not fully established or documented additional
oversight controls to ensure that operations are effectively monitored
and evaluated. Although TSA has built capabilities into CAPPS II to
monitor and evaluate the system's operation and plans to conduct audits
of the system to determine whether it is functioning as intended, TSA
has not written all of the rules that will govern how the system will
operate. Consequently, officials do not yet know how these capabilities
will function, how they will be applied to monitor the system to
provide oversight, and what positions and offices will be responsible
for maintaining the oversight. Until these policies and procedures for
CAPPS II are developed, there is no assurance that proper controls are
in place to monitor and oversee the system.
* TSA's plans address privacy protection, but issues remain unresolved.
TSA's plans for CAPPS II reflect an effort to protect individual
privacy rights, but certain issues remain unresolved. Specifically, TSA
plans address many of the requirements of the Privacy Act, the primary
legislation that regulates the government's use of personal
information.[Footnote 9] For example, in January 2003, TSA issued a
notice in the Federal Register that generally describes the Privacy Act
system of records[Footnote 10] that will reside in CAPPS II and asked
the public to comment. While TSA has taken these initial steps, it has
not yet finalized its plans for complying with the act. For example,
the act and related Office of Management and Budget guidance[Footnote
11] state that an agency proposing to exempt a system of records from a
Privacy Act provision must explain the reasons for the exemption in a
published rule. In January 2003, TSA published a proposed rule to
exempt the system from seven Privacy Act provisions but has not yet
provided the reasons for these exemptions, stating that this
information will be provided in a final rule to be published before the
system becomes operational. As a result, TSA's justification for these
exemptions remains unclear. Until TSA finalizes its privacy plans for
CAPPS II and addresses such concerns, the public lacks assurance that
the system will fully comply with the Privacy Act.
When viewed in the larger context of Fair Information
Practices[Footnote 12]--internationally recognized privacy principles
that also underlie the Privacy Act--TSA plans reflect some actions to
address each of these practices. For example, TSA's plan to not collect
passengers' social security numbers from commercial data providers and
to destroy most passenger information shortly after they have completed
their travel itinerary appears consistent with the collection
limitation practice, which states that collections of personal
information should be limited. However, to meet its evolving mission
goals, TSA plans also appear to limit the application of certain of
these practices. For example, TSA plans to exempt CAPPS II from the
Privacy Act's requirements to maintain only that information about an
individual that is relevant and necessary to accomplish a proper agency
purpose. These plans reflect the subordination of the use limitation
practice and data quality practice (personal information should be
relevant to the purpose for which it is collected) to other goals and
raises concerns that TSA may collect and maintain more information than
is needed for the purpose of CAPPS II, and perhaps use this information
for new purposes in the future. Such actions to limit the application
of the Fair Information Practices do not violate federal requirements.
Rather, they reflect TSA's efforts to balance privacy with other public
policy interests such as national security, law enforcement, and
administrative efficiency. As the program evolves, it will ultimately
be up to policymakers to determine if TSA has struck an appropriate
balance among these competing interests.
* Redress process is being developed, but significant challenges
remain.
TSA intends to establish a process by which passengers who are subject
to additional screening or denied boarding will be provided the
opportunity to seek redress by filing a complaint; however, TSA has not
yet finalized this process. According to TSA officials, the redress
process will make use of TSA's existing complaint process--currently
used for complaints from passengers denied boarding passes--to document
complaints and provide these to TSA's Ombudsman.[Footnote 13]
Complaints relating to CAPPS II will be routed through the Ombudsman to
a Passenger Advocate--a position to be established within TSA for
assisting individuals with CAPPS II-related concerns--who will help
identify errors that may have caused a person to be identified as a
false positive.[Footnote 14] If the passengers are not satisfied with
the response received from the Passenger Advocate regarding the
complaint, they will have the opportunity to appeal their case to the
DHS Privacy Office.
A number of key policy issues associated with the redress process,
however, still need to be resolved. These issues involve data
retention, access, and correction. Current plans for data retention
indicate that data on U.S. travelers and lawful permanent residents
will be deleted from the system at a specified time following the
completion of the passengers' itinerary. Although TSA's decision to
limit the retention of data was made for privacy considerations, the
short retention period might make it impossible for passengers to seek
redress if they do not register complaints quickly. TSA has also not
yet determined the extent of data access that will be permitted for
those passengers who file a complaint. TSA officials said that
passengers will not have access to any government data used to generate
a passenger risk score due to national security concerns. TSA officials
have also not determined to what extent, if any, passengers will be
allowed to view information used by commercial data providers.
Furthermore, TSA has not yet determined how the process of correcting
erroneous information will work in practice. TSA documents and program
officials said that it may be difficult for the Passenger Advocate to
identify errors, and that it could be the passenger's responsibility to
correct errors in commercial databases at their source.
To address these concerns, TSA is exploring ways to assist passengers
who are consistently determined to be false positives. For example, TSA
has discussed incorporating an "alert list" that would consist of
passengers who coincidentally share a name with a person on a
government watch list and are, therefore, continually flagged for
additional screening. Although the process has not been finalized,
current plans indicate that a passenger would be required to submit to
an extensive background check in order to be placed on the alert list.
TSA said that available remedies for all persons seeking redress will
be more fully detailed in CAPPS II's privacy policy, which will be
published before the system achieves initial operating capability.
Other Challenges Could Affect the Successful Implementation of CAPPS
II:
In addition to facing developmental and operational challenges related
to key areas of interest to the Congress, CAPPS II faces a number of
additional challenges that may impede its success. We identified three
issues that, if not adequately resolved, pose major risks to the
successful development, implementation, and operation of CAPPS II.
These issues are developing the international cooperation needed to
obtain passenger data, managing the expansion of the program's mission
beyond its original purpose, and ensuring that identity theft--in which
an individual poses as and uses information of another individual--
cannot be used to negate the security benefits of the system.
International Cooperation:
For CAPPS II to operate fully and effectively, it needs data not only
on U.S. citizens who are passengers on flights of domestic origin, but
also on foreign nationals on domestic flights and on flights to the
United States originating in other countries. However, obtaining
international cooperation for access to these data remains a
substantial challenge. The European Union, in particular, has objected
to its citizens' data being used by CAPPS II, whether a citizen of a
European Union country flies on a U.S. carrier or an air carrier under
another country's flag. The European Union has asserted that using such
data is not in compliance with its privacy directive and violates the
civil liberties and privacy rights of its citizens.
DHS and European Union officials are in the process of finalizing an
understanding regarding the transfer of passenger data for use by the
Bureau of Customs and Border Protection. However, this understanding
does not permit the passenger data to be used by TSA in the operation
of CAPPS II but does allow for the data to be used for testing
purposes. According to a December 16, 2003, report from the Commission
of European Communities, the European Union will not be in a position
to agree to the use of its citizens' passenger data for CAPPS II until
internal U.S. processes have been completed and it is clear that the
U.S. Congress's privacy concerns have been resolved. The Commission
said that it would discuss the use of European Union citizen passenger
data in a second, later round of discussions.
Expansion of Mission:
Our review found that CAPPS II may be expanded beyond its original
purpose and that this expansion may affect program objectives and
public acceptance of the system. The primary objective of CAPPS II was
to protect the commercial aviation system from the risk of foreign
terrorism by screening for high-risk or potentially high-risk
passengers. However, in the August 2003 interim final Privacy Act
notice for CAPPS II, TSA stated that the system would seek to identify
both domestic and foreign terrorists and not just foreign terrorists as
previously proposed. The August notice also stated that the system
could be expanded to identify persons who are subject to outstanding
federal or state arrest warrants for violent crimes and that CAPPS II
could ultimately be expanded to include identifying individuals who are
in the United States illegally or who have overstayed their visas.
DHS officials have said that such changes are not an expansion of the
system's mission because they believe it will improve aviation security
and is consistent with CAPPS II's mission. However, program officials
and advocacy groups expressed concern that focusing on persons with
outstanding warrants, and possibly immigration violators, could put TSA
at risk of diverting attention from the program's fundamental purpose.
Expanding CAPPS II's mission could also lead to an erosion of public
confidence in the system, which program officials agreed is essential
to the effective operation of CAPPS II. This expansion could also
increase the costs of passenger screening, as well as the number of
passengers erroneously identified as needing additional security
attention because some of the databases that could be used to identify
wanted felons have reliability concerns.
Identity Theft:
Another challenge facing the successful operation of CAPPS II is the
system's ability to effectively identify passengers who assume the
identity of another individual, known as identity theft. TSA officials
said that while they believe CAPPS II will be able to detect some
instances of identity theft, they recognized that the system will not
detect all instances of identity theft without implementing some type
of biometric indicator, such as fingerprinting or retinal scans. TSA
officials said that while CAPPS II cannot address all cases of identity
theft, CAPPS II should detect situations in which a passenger submits
fictitious information such as a false address. These instances would
likely be detected since the data being provided would either not be
validated or would be inconsistent with information in the databases
used by CAPPS II. Additionally, officials said that data on identity
theft may be available through credit bureaus and that in the future
they expect to work with the credit bureaus to obtain such data.
However, the officials acknowledge that some identity theft is
difficult to spot, particularly if the identity theft is unreported or
if collusion, where someone permits his or her identity to be assumed
by another person, is involved.
TSA officials said that there should not be an expectation that CAPPS
II will be 100 percent accurate in identifying all cases of identity
theft. Further, the officials said that CAPPS II is just one layer in
the system of systems that TSA has in place to improve aviation
security, and that passengers who were able to thwart CAPPS II by
committing identity theft would still need to go through normal
checkpoint screening and other standard security procedures. TSA
officials believe that, although not fool-proof, CAPPS II represents an
improvement in identity authentication over the current system.
Concluding Observations:
The events of September 11, 2001, and the ongoing threat of commercial
aircraft hijackings as a means of terrorist attack against the United
States continue to highlight the importance of a proactive approach to
effectively prescreening airline passengers. An effective prescreening
system would not only expedite the screening of passengers, but would
also accurately identify those passengers warranting additional
security attention, including those passengers determined to have an
unacceptable level of risk who would be immediately assessed by law
enforcement personnel. CAPPS II, while holding the promise of providing
increased benefits over the current system, faces significant
challenges to its successful implementation. Uncertainties surrounding
the system's future functionality and schedule alone result in the
potential that the system may not meet expected requirements, may
experience delayed deployment, and may incur increased costs throughout
the system's development. Of the eight issues identified by the
Congress related to CAPPS II, only one has been fully addressed.
Additionally, concerns about mission expansion and identify theft add
to the public's uncertainty about the success of CAPPS II.
Our recent report on CAPPS II made seven specific recommendations that
we believe will help address these concerns and challenges. The
development of plans identifying the specific functionality that will
be delivered during each increment of CAPPS II and its associated
milestones for completion and the expected costs for each increment
would provide TSA with critical guidelines for maintaining the
project's focus and achieving intended system results and milestones
within budget. Furthermore, a schedule for critical security
activities, a strategy for mitigating the high risk associated with
system and database testing, and appropriate oversight mechanisms would
enhance assurance that the system and its data will be adequately
protected from misuse. In addition to these steps, development of
results-oriented performance goals and measures would help ensure that
the system is operating as intended. Last, given the concerns regarding
the protection of passenger data, the system cannot be fully accepted
if it lacks a redress process for those who believe they are
erroneously identified as an unknown or unacceptable risk.
Our recently published report highlighted each of these concerns and
challenges and contained several recommendations to address them. DHS
generally concurred with our findings and has agreed to address the
related recommendations. By adequately addressing these
recommendations, we believe DHS increases the likelihood of
successfully implementing this program. In the interim, it is crucial
that the Congress maintain vigilant oversight of DHS to see that these
concerns and challenges are addressed.
Mr. Chairman, this concludes my statement. I would be please to answer
any questions that you or other members of the Subcommittee may have at
this time.
GAO Contacts and Acknowledgments:
For further information on this testimony, please contact Norman J.
Rabkin at (202) 512-8777 or David A. Powner on (202) 512-9286.
Individuals making key contributions to this testimony include J.
Michael Bollinger, Adam Hoffman, and John R. Schulze.
[End of section]
Appendix I: CAPPS II Developmental Increments:
The following describes general areas of functionality to be completed
during each of the currently planned nine developmental increments of
the Computer -Assisted Passenger Prescreening System (CAPPS II).
Increment 1. System functionality established at the central processing
center. By completion of increment 1, the system will be functional at
the central processing center and can process passenger data and
support intelligence validation using in-house data (no use of airline
data). Additionally, at this increment, validation will be completed
for privacy and policy enforcement tools; the exchange of, and
processing with, data from multiple commercial data sources; and
processing of government databases to support multiple watch-lists.
Increment 2. System functionality established to support processing
airline data. At the completion of increment 2, the system is
functionally and operationally able to process airline data.
Additionally, the system can perform functions such as prioritizing
data requests, reacting to threat level changes, and manually
triggering a "rescore" for individual passengers in response to
reservation changes or adjustments to the threat level.
Increment 3. This increment will provide for a functional system that
will use a test simulator that will not be connected to an airline's
reservation system. System hardware that includes the establishment of
test and production environments will be in place and a facility
capable of performing risk assessment will be established. Design and
development work for system failure with a back up system and help desk
infrastructure will be put in place.
Increment 4. By the completion of this increment, a back up location
will be functionally and operationally able to support airlines
processing application, similar to the main location. A help desk will
be installed to provide assistance to airlines, authenticator, and
other user personnel.
Increment 5. Enhanced intelligence interface. At the conclusion of this
increment, the system will be able to receive from DHS the current
threat level automatically and be able to adjust the system in response
to changes in threat levels. The system will also be able to semi-
automatically rescore and reclassify passengers that have already been
authenticated.
Increment 6. Enhanced passenger authentication. This increment will
allow the system to perform passenger authentication using multiple
commercial data sources in the instance that little information on a
passenger is available from original commercial data source.
Increment 7. Integration of other system users. By the completion of
this increment, TSA Aviation Operations and law enforcement
organizations will be integrated into CAPPS II, allowing multiple
agencies and organizations to do manpower planning and resource
allocations based on the risk level of the nation, region, airport, or
specific flight.
Increment 8. Enhanced risk assessments. This increment provides for the
installation of capabilities and data sources to enhance risk
assessments, which will lower the number of passengers falsely
identified for additional screening. This increment also provides for a
direct link to the checkpoint for passenger classification, rather than
having the passenger's score encoded on their boarding pass.
Increment 9. Completion of system. Increment 9 marks the completion of
the system as it moves into full operation and maintenance, which will
include around-the-clock support and administration of the system,
database, and network, among other things.
[End of section]
Appendix II: Timeline for Developing CAPPS II, by Original and Revised
Increment Schedule:
[See PDF for image]
[A] System functionality to be achieved at revised schedule dates will
be less than originally planned.
[End of figure]
[End of section]
FOOTNOTES
[1] U.S. General Accounting Office, Aviation Security: Computer-
Assisted Passenger Prescreening System Faces Significant
Implementation Challenges, GAO-04-385 (Washington, D.C.: Feb. 12,
2004).
[2] When initially developed by the Federal Aviation Administration,
this system was known as the Computer-Assisted Passenger Screening
system or CAPS.
[3] Pub. L. No. 107-71, § 136, 115 Stat. 597, 637 (2001).
[4] U.S. General Accounting Office, Major Management Challenges and
Program Risks: A Government-wide Perspective, GAO-03-95 (Washington,
D.C.: January 2003) and High-Risk Series: An Update, GAO-03-119
(Washington, D.C.: January 2003).
[5] Department of Homeland Security Appropriations Act, 2004, Pub. L.
No. 108-90, § 519, 117 Stat. 1137, 1155-56 (2003).
[6] U.S. General Accounting Office, Information Technology: OMB and
Department of Homeland Security Investment Reviews GAO-04-323
(Washington, D.C.: Feb. 10, 2004).
[7] Because operational safeguards to reduce opportunities for abuse
and security measures to protect CAPPS II from unauthorized access by
hackers are so closely related, these two issues are discussed jointly.
[8] Pub. L. No. 103-62, 107 Stat. 285 (1993).
[9] Pub. L. No. 93-579, 88 Stat. 1896 (1974) (codified as amended at 5
U.S.C. § 552a).
[10] Under the act, a system of records is a collection of information
about individuals under the control of an agency from which information
is actually retrieved by an individual's name or by some identifying
number, symbol, or other particular assigned to the individual.
[11] Responsibilities for the Maintenance of Records About Individuals
by Federal Agencies, 40 Fed. Reg. 28,948, 28,972 (July 9, 1975).
[12] We refer to the eight Fair Information Practices proposed in 1980
by the Organization for Economic Cooperation and Development and that
were endorsed by the U.S. Department of Commerce in 1981. These
practices are collection limitation, purpose specification, use
limitation, data quality, security safeguards, openness, individual
participation, and accountability.
[13] The Ombudsman is the designated point of contact for TSA-related
inquiries from the public.
[14] Passengers who are erroneously delayed or prohibited from boarding
their scheduled flights are considered false positives.